Securing forms in Drupal

Form handling is one of the most crucial areas of website security. Inappropriate handling of form data can lead to multiple security weaknesses including SQL injection and cross-site request forgeries (CSRF). While we cannot cover all aspects of security in a brief chapter, it is important to state some clear guidelines for Drupal module developers.


See for information on CSFR, and for cross-site scripting (XSS) see

The Forms API

First and foremost, you should always use the Drupal Forms API when creating and processing forms in Drupal. For one, doing so makes your life easier because the Forms API contains standards for form definition, AJAX handling, ...

Get Drupal 7 Module Development now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.